Re: Password Policy

From: Christopher Browne <cbbrowne(at)acm(dot)org>
To: pgsql-admin(at)postgresql(dot)org
Subject: Re: Password Policy
Date: 2007-02-11 05:18:23
Message-ID: 87ejoxgtls.fsf@wolfe.cbbrowne.com
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgadmin-support pgsql-admin pgsql-general pgsql-sql

In the last exciting episode, ezequias(dot)rocha(at)gmail(dot)com ("Ezequias Rodrigues da Rocha") wrote:
> Hi list (my first post),
>
> Is there any password polity that postgresql implement ?

No, that would be a serious mistake, as it would prevent people from
having local policies that differed from the "PostgreSQL policy."

> It is possible to put a set all no administrators passwords to
> = '123456' from times and times ?

I'm not quite certain what you mean by that...

Do you mean you want to be able to set all non-administrators'
passwords to some particular value?

You could do that by setting one user's password to a particular
plaintext form, and then alter the others to match it.

Thus:

alter user stalking_horse password to '123456';
update pg_shadow set passwd = (select passwd from pg_shadow where usename = 'stalking_horse') and not usesuper;

I'm not sure that's an entirely wonderful policy, though.

> Has anyone implement a dinamic password autentication (the password
> changes according the date/month etc of a day ) ?

Well, you could use ident-based authentication, and then use some
wacky method to authenticate the user at the Unix level via PAM...

Changing passwords that often strikes me as being the wrong kind of
approach to this. Having a flurry of passwords that users can't
possibly remember is a clear route to having passwords sitting on
Post-It notes on cubicles.

I'd be much more inclined to use an unrememberable random password,
stowed in ~/.pgpass, which doesn't need to expire terribly often.

The other option would be to use ssh style keys for authentication;
that isn't possible now, but would be an attractive feature.

> Is there any function to encript, decript plain text in PostgreSQL 
> and if  it is aplicable ?

There is a contrib module, pgcrypto, which is quite suitable for such
purposes...
--
output = ("cbbrowne" "@" "gmail.com")
http://linuxfinances.info/info/emacs.html
The purpose of an undergraduate education at MIT is to give you a case
of post-traumatic stress syndrome that won't wear off for forty years.

In response to

Browse pgadmin-support by date

  From Date Subject
Next Message Dave Page 2007-02-11 10:25:57 Re: pgAdmin3 1.6.2
Previous Message Ezequias Rodrigues da Rocha 2007-02-10 22:46:38 Re: Password Policy

Browse pgsql-admin by date

  From Date Subject
Next Message Benjamin Arai 2007-02-11 05:41:03 Re: Priorities for users or queries?
Previous Message Joshua D. Drake 2007-02-11 03:06:10 Re: Priorities for users or queries?

Browse pgsql-general by date

  From Date Subject
Next Message Benjamin Arai 2007-02-11 05:41:03 Re: Priorities for users or queries?
Previous Message Denis Lussier 2007-02-11 04:39:20 Re: does anyone have a tool to convert SP'sT-SQL to Postgres

Browse pgsql-sql by date

  From Date Subject
Next Message Paul Lambert 2007-02-11 23:19:20 COPY FROM query.
Previous Message Ezequias Rodrigues da Rocha 2007-02-10 22:46:38 Re: Password Policy